b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      Additional Security Is Needed for the\n                        Taxpayer Secure Email Program\n\n\n\n                                        February 4, 2011\n\n                             Reference Number: 2011-20-012\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n   Redaction Legend:\n   1 = Tax Return/Return Information\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                HIGHLIGHTS\n\n\nADDITIONAL SECURITY IS NEEDED FOR                   encrypting their emails that contain SBU data.\nTHE TAXPAYER SECURE EMAIL                           These violations of the program were not\nPROGRAM                                             reported to IRS management. Furthermore, IRS\n                                                    procedures and training lacks adequate\n                                                    guidance for employees to report the violations.\nHighlights                                          In addition, the IRS does not timely correct\n                                                    persistent medium-risk security vulnerabilities\nFinal Report issued on February 4, 2011             detected on email servers.\n                                                    WHAT TIGTA RECOMMENDED\nHighlights of Reference Number: 2011-20-012\nto the Internal Revenue Service Chief               TIGTA recommended that the Large Business\nTechnology Officer; Commissioner for Large          and International Division and Office of Appeals\nBusiness and International Division; Chief of the   coordinate with the Office of Privacy, Information\nOffice of Appeals; and Director of the Office of    Protection, and Data Security to develop\nPrivacy, Information Protection and Data            additional procedures for employees\nSecurity.                                           participating in the Secure Email With Taxpayers\n                                                    program to address how, when, and to whom\nIMPACT ON TAXPAYERS                                 employee and taxpayer secure email violations\n                                                    should be reported; update guides and training\nInternal Revenue Service (IRS) employees and\n                                                    materials to include these procedures; amend\ntaxpayers are required to work together to\n                                                    the Memorandum of Understanding to apprise\nensure the security of taxpayers\xe2\x80\x99 sensitive data\n                                                    the taxpayer of the specific risks associated with\ntransmitted in email messages. If employees\n                                                    transmitting unencrypted email with SBU data;\nand taxpayers do not follow the required security\n                                                    and issue a memorandum to all employees\npolicies, the risks to taxpayers\xe2\x80\x99 sensitive data\n                                                    advising them of the disciplinary actions that will\nare increased. The data could be intercepted\n                                                    be taken against employees who violate IRS\nand accessed by unauthorized individuals or\n                                                    email policies by sending unencrypted emails to\ninadvertently sent to the wrong recipient.\n                                                    taxpayers who have not signed a Memorandum\nWHY TIGTA DID THE AUDIT                             of Understanding to participate in the program.\n\nThis audit was initiated because the IRS relaxed    TIGTA also recommended that the Associate\nits long-standing internal policy prohibiting       Chief Information Officer, Cybersecurity,\nemployees from transmitting Sensitive But           ensure data leakage prevention software is\nUnclassified (SBU) data to taxpayers in emails.     implemented by April 2012, and update the\nThe objective of the review was to determine        annual Information Systems Security briefing to\nwhether IRS controls, policies, and procedures      include the new Secure Email With Taxpayers\nfor sensitive email messages to taxpayers           procedures. Lastly, TIGTA recommended the\nadequately protected taxpayers\xe2\x80\x99 data, guarded       Associate Chief Information Officer, Enterprise\nagainst email threats to the IRS network, and       Operations, ensure medium-risk vulnerabilities\nensured email practices were compliant with         detected on email servers are appropriately\nFederal regulations.                                tracked and, if the vulnerabilities cannot be\n                                                    corrected within two months, follow security\nWHAT TIGTA FOUND                                    requirements to post the vulnerabilities to the\n                                                    appropriate Plan of Actions and Milestones.\nAlthough some controls for the Secure Email\nWith Taxpayers program are in place, such as        In their response to the report, IRS officials\nthe installation of antivirus software on           agreed with six of the recommendations and\nemployees\xe2\x80\x99 computers, other security controls       partially agreed with three. For the three\nwere not implemented. The IRS has not               partially agreed recommendations, TIGTA\nimplemented an automated control to detect and      continues to believe that the IRS should fully\nprevent SBU data in unencrypted emails from         implement the recommendations.\nbeing transmitted outside the IRS. In addition,\nsome employees and taxpayers are not\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           February 4, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                COMMISSIONER, LARGE BUSINESS AND INTERNATIONAL\n                DIVISION\n                CHIEF, OFFICE OF APPEALS\n                DIRECTOR, OFFICE OF PRIVACY, INFORMATION\n                PROTECTION AND DATA SECURITY\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Additional Security Is Needed for the Taxpayer\n                             Secure Email Program (Audit # 201020021)\n\n This report presents the results of our review to determine whether Internal Revenue Service\n (IRS) controls, policies, and procedures for sensitive email messages to taxpayers adequately\n protected taxpayers\xe2\x80\x99 data, guarded against email threats to the IRS network, and ensured email\n practices were compliant with Federal regulations. This audit was included in the Treasury\n Inspector General for Tax Administration Fiscal Year 2010 Annual Audit Plan and was part of\n our statutory requirement to annually review the adequacy and security of IRS technology.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan R.\n Duncan, Assistant Inspector General for Audit (Security and Information Technology Services),\n at (202) 622-5894.\n\x0c                                                 Additional Security Is Needed\n                                           for the Taxpayer Secure Email Program\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Some Controls Have Been Implemented to Mitigate the\n          Risks of the Secure Email With Taxpayers Program.................................... Page 3\n          An Automated Control to Detect Sensitive But Unclassified\n          Data in Unencrypted Emails Transmitted Outside the\n          Internal Revenue Service Has Not Been Implemented................................. Page 4\n                    Recommendation 1:........................................................ Page 5\n\n          Additional Procedures and Training to Protect Taxpayers\xe2\x80\x99\n          Sensitive Data Transmitted in Emails Should Be Developed\n          and Implemented ........................................................................................... Page 5\n                    Recommendations 2 and 3: .............................................. Page 8\n\n                    Recommendations 4 and 5: .............................................. Page 9\n\n                    Recommendations 6 and 7: ....................................................... Page 10\n\n          Medium-Risk Vulnerabilities on Email Servers Are Not\n          Timely Corrected .......................................................................................... Page 10\n                    Recommendation 8:........................................................ Page 12\n\n          Some Unauthorized Employees Are Sending and Receiving\n          Sensitive Data in Emails ............................................................................... Page 12\n                    Recommendation 9:........................................................ Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 20\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 21\n\x0c               Additional Security Is Needed\n         for the Taxpayer Secure Email Program\n\n\n\n\n             Abbreviations\n\nEOPS   Enterprise Operations\nIRS    Internal Revenue Service\nLB&I   Large Business and International Division\nMOU    Memorandum of Understanding\nNIST   National Institute for Standards and Technology\nSBU    Sensitive But Unclassified\n\x0c                                          Additional Security Is Needed\n                                    for the Taxpayer Secure Email Program\n\n\n\n\n                                            Background\n\nElectronic mail (email) presents one of the highest security risks to an organization\xe2\x80\x99s sensitive\ndata and computer network. For example, most computer viruses are spread through email\nattachments and emails with links to malicious web sites. Computer viruses can destroy data on\ncomputers, disrupt computer operations, and degrade network performance. In addition,\nsensitive data transmitted in emails could be intercepted by unauthorized individuals or\ninadvertently sent to the wrong recipient.\nThe Internal Revenue Service (IRS) relies on email to communicate within the organization.\nMost managers and employees have access to email and can send sensitive data to other\nemployees using the Secure Enterprise Messaging System.1 The most common type of sensitive\ninformation processed by the IRS is Sensitive But Unclassified (SBU) information, which\nincludes taxpayers\xe2\x80\x99 tax and financial data as well as Personally Identifiable Information.\nTo protect taxpayers\xe2\x80\x99 sensitive data transmitted in email messages, IRS procedures require the\nemail system provide appropriate security to the network where the system resides and to the\ndata stored and transmitted by the email system in accordance with the standards and guidelines\ndeveloped by the National Institute for Standards and Technology (NIST).2 The NIST\nrecommends agencies implement automated tools, such as a network data leakage prevention\ntool, to monitor transfers of Personally Identifiable Information, and to monitor inbound and\noutbound communications for unauthorized activities.\nPrior to November 2007, the IRS maintained a long-standing policy that prohibited sending SBU\ndata in emails to taxpayers or a taxpayer\xe2\x80\x99s representative, such as a Power of Attorney. IRS\nprocedures directed employees to not send SBU data by email to parties outside of the IRS or the\nDepartment of the Treasury, even if the other party uses encryption software. The IRS cited the\nrisks to taxpayers\xe2\x80\x99 privacy as the reason for its policy.\nThe IRS relaxed its email policy in November 2007 when its Security Services and Privacy\nExecutive Steering Committee approved the Large Business and International (LB&I) Division\nto begin a Secure Email With Taxpayers pilot. This pilot began with 12 volunteer corporate\ntaxpayers and ended in September 2008 with 35 corporate taxpayers.\nIn October 2008, the Security Services and Privacy Executive Steering Committee approved the\nLB&I Division\xe2\x80\x99s request to incorporate the Secure Email With Taxpayers pilot in its standard\n\n\n1\n  The Secure Enterprise Messaging System allows users to digitally encrypt email messages and attachments that\ncontain Sensitive But Unclassified data.\n2\n  NIST Special Publication 800-45, Guidelines on Electronic Mail Security, February 2007, and\nNIST 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information, April 2010.\n                                                                                                         Page 1\n\x0c                                      Additional Security Is Needed\n                                for the Taxpayer Secure Email Program\n\n\n\noperating procedures. During our review, over 200 taxpayers were enrolled in the LB&I\nDivision\xe2\x80\x99s Secure Email With Taxpayers program.\nIn February 2009, the IRS changed its official internal policy on transmitting SBU data by email\nto taxpayers. The policy was revised as follows:\n       \xe2\x80\x9cIRS employees may never send SBU data by electronic mail to taxpayers or their\n       representatives unless they are using a technology and methodology that has been\n       approved by the Security Services and Privacy Executive Steering Committee and the\n       Senior Executive Team.\xe2\x80\x9d\nThe Security Services and Privacy Executive Steering Committee also approved the IRS Office\nof Appeals to begin a Secure Email With Taxpayers pilot in June 2009. The pilot is limited to\nonly the employees in the Appeals Team Case Leader groups that process large dollar taxpayer\ncases routed from the LB&I Division. The Office of Appeals employees and the employees in\nthe LB&I Division usually communicate with the same taxpayers. The technology, processes,\nand procedures for the Office of Appeals pilot emulate what was developed and implemented by\nthe LB&I Division.\nThe Security Services and Privacy Executive Steering Committee has no plans to allow other\nIRS business units to transmit emails with SBU data to taxpayers and emphasized the Office of\nAppeals\xe2\x80\x99 participation is still in the pilot phase. In addition, the Committee considers the Secure\nEmail With Taxpayers program to be a \xe2\x80\x9climited\xe2\x80\x9d program because only the LB&I Division and\nthe Office of Appeals are authorized to participate and, within these business units, only some\nemployees are authorized to participate. In this report, we use Secure Email With Taxpayers\nprogram to refer to the LB&I Division\xe2\x80\x99s program and the Office of Appeals\xe2\x80\x99 pilot.\nWe focused this review on the technical and manual controls that the IRS implemented to protect\ntaxpayers\xe2\x80\x99 data, guard against email threats to the IRS computer network, and ensure email\npractices are compliant with Federal regulations and IRS policies. This review was performed at\nthe offices of the LB&I Division and the Office of Appeals in Washington, D.C., and Dallas,\nTexas, and at the Modernization and Information Technology Services organization\xe2\x80\x99s Office of\nCybersecurity, Computer Security Incident Response Center, End User Equipment and Services\noffice, and Enterprise Operations office in New Carrollton, Maryland. We also performed work\nin the Enterprise Operations office in Austin, Texas. We performed this review during the\nperiod January through July 2010. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n                                                                                            Page 2\n\x0c                                      Additional Security Is Needed\n                                for the Taxpayer Secure Email Program\n\n\n\n\n                                 Results of Review\n\nSome Controls Have Been Implemented to Mitigate the Risks of the\nSecure Email With Taxpayers Program\nThe Secure Email With Taxpayer program represents a departure from the traditional means of\ncommunicating with taxpayers, such as regular mail and telephone contact. With advances in\nsupporting technologies and the increased use of email by taxpayers to conduct business, we\nacknowledge this program will enhance customer service with taxpayers and provide a more\nexpedient and efficient way to trade information. During our review, over 200 corporate\ntaxpayers were enrolled in the LB&I Division\xe2\x80\x99s Secure Email With Taxpayers program.\nIn order to participate in the Secure Email With Taxpayers program, the IRS requires taxpayers\nto sign a Memorandum of Understanding (MOU) agreeing to work together to ensure the joint\nsecurity of the data transmitted in emails. The MOU is an important control that has been\nimplemented for the Secure Email With Taxpayers program because it sets up the parameters for\nthe program as well as the responsibilities for both parties. For example, the MOU states,\n   \xe2\x80\x9cIt is the intention of both parties to this MOU that encrypted emails be used for the\n   transmission of sensitive or confidential tax-related information\xe2\x80\xa6\xe2\x80\x9d\nEncryption provides the technological protection of the email and all data files attached to the\nemails while being transmitted by either party. The taxpayer is required to have a compatible\nsecure email system with encryption capability to participate in the program.\nAnother important aspect of the MOU is the identification of authorized individuals allowed to\nsend and receive emails under this program. The specific names of IRS employees authorized to\nsend and receive emails are required to be listed in an attachment to the MOU. Once the MOU is\nsigned by both parties, only listed individuals are authorized to participate in the Secure Email\nWith Taxpayers program. Allowing only the specific individuals to send and receive emails\nensures that the confidentiality of data are maintained, especially since some taxpayers\nparticipating in this program are large and mid-sized businesses and are being represented by\nattorneys, accountants, and administrative personnel. In addition, the IRS has effective controls\nto remove employees\xe2\x80\x99 email accounts from the email system when an employee separates from\nthe IRS.\nWe also found that the LB&I Division and Office of Appeals provided guides on secure\ncommunication to their employees with instructions on how to exchange digital signature\ncertificates between the IRS and taxpayers\xe2\x80\x99 email systems. These step-by-step guides explain\nhow to securely communicate using email and caution employees not to type sensitive\n\n                                                                                            Page 3\n\x0c                                      Additional Security Is Needed\n                                for the Taxpayer Secure Email Program\n\n\n\ninformation in the subject line of the email or in the name of a file attachment because these parts\nare not encrypted.\nLastly, we found that antivirus software is installed and operating properly on 98 percent of the\nIRS\xe2\x80\x99s computer workstations. This security software was installed long before the Secure Email\nWith Taxpayers program was initiated and is critical because the workstation is the last line of\ndefense in detecting and removing viruses.\nAlthough the IRS implemented some controls, additional actions are needed to protect taxpayers\xe2\x80\x99\nsensitive data and the IRS computer network.\n\nAn Automated Control to Detect Sensitive But Unclassified Data in\nUnencrypted Emails Transmitted Outside the Internal Revenue\nService Has Not Been Implemented\nAs previously stated in this report, the IRS must implement automated controls, such as a data\nleakage prevention tool, to detect and prevent SBU data from inappropriately leaking from the\nIRS, including sensitive data transmitted in emails.\nThe IRS is currently acquiring an enterprise data leakage prevention system. This key control\nwas not implemented prior to approving the LB&I Division\xe2\x80\x99s Secure Email With Taxpayers pilot\nbecause the IRS, along with the Department of the Treasury, determined the data loss prevention\nsolutions in the marketplace at that time were not mature or robust enough to address the IRS\xe2\x80\x99s\nneeds. The Co-Chairman of the Security Services and Privacy Executive Steering Committee\nalso cited the following reasons for approving the program without a data loss prevention system\nin place.\n   \xe2\x80\xa2   The MOU signed by the taxpayer affords a sufficient level of protection. The taxpayer\n       accepts the risks when signing the MOU.\n   \xe2\x80\xa2   The taxpayers involved in the Secure Email With Taxpayers program are business\n       professionals and have email systems capable of encrypting the emails.\nThe IRS now believes the enterprise-level data leakage prevention solutions currently available\nfor purchase have the capability of working with security software already in place and can\nhandle the large amount of electronic information generated by a large organization. The IRS is\nin the early stages of the acquisition and expects to have a data leakage prevention control fully\nimplemented by April 2012, which would be 4 years after the LB&I Division Secure Email With\nTaxpayers pilot was approved.\nWithout an automated control to identify and prevent unencrypted emails with sensitive data\nfrom leaving the IRS, sensitive data could be exposed to unauthorized access and disclosure.\nUntil the data leakage prevention solution is fully implemented, the IRS must rely solely on the\neffectiveness of manual controls. For example, the IRS must have effective procedures and\n\n                                                                                             Page 4\n\x0c                                           Additional Security Is Needed\n                                     for the Taxpayer Secure Email Program\n\n\n\ntraining to ensure employees follow the security policies and report violations of the program to\nensure sensitive data are adequately protected.\n\nRecommendation\nRecommendation 1: The Associate Chief Information Officer, Cybersecurity, should\ncontinue with the acquisition of a data leakage prevention system to ensure full deployment by\nApril 2012. This data leakage prevention system should include the ability to identify and stop\nunencrypted emails containing sensitive data, such as Social Security Numbers, from leaving the\nIRS domain.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n        stated that it would deploy a data leakage prevention solution through the Safeguarding\n        Personally Identifiable Information Data Extracts project. The Safeguarding Personally\n        Identifiable Information Data Extracts project will implement Data-In-Motion\n        components to address this issue. In addition, the project will also coordinate the\n        deployment of Incident Response workflows with respective organizations including the\n        Office of Privacy, Information Protection and Data Security. The final scope for policy,\n        rules, and corrective actions will be determined with input from the Treasury Inspector\n        General for Tax Administration and other stakeholders. The IRS set an implementation\n        date of July 1, 2012.\n\nAdditional Procedures and Training to Protect Taxpayers\xe2\x80\x99 Sensitive\nData Transmitted in Emails Should Be Developed and Implemented\nThe Department of the Treasury3 requires its bureaus to develop formal, documented procedures\nto monitor and control email. These manual procedures are needed to mitigate the security risks\nof the Secure Email With Taxpayers program and are critical in light of the previous finding.\nThe IRS must develop and implement procedures and training for employees to identify and\nreport violations of the program. Examples of Secure Email violations include employees,\ntaxpayers, or taxpayers\xe2\x80\x99 representatives transmitting unencrypted emails with SBU data or\nunauthorized employees or taxpayers participating in the program. As previously stated, the\nrequirement for the taxpayer and the IRS to sign an MOU is one of the most significant manual\ncontrols established to date.\nTo evaluate program compliance, we selected 97 of the 582 program employees and reviewed\nemails that were sent or received. We found some employees authorized4 to participate in the\n\n\n3\n  Treasury Directive Publication 85-01, Treasury Information Technology Security Program, November 3, 2006.\n4\n  Employees are authorized to participate in this program when the employee\xe2\x80\x99s name is listed on an attachment to\nthe MOU and the MOU is signed by the taxpayer.\n                                                                                                           Page 5\n\x0c                                     Additional Security Is Needed\n                               for the Taxpayer Secure Email Program\n\n\n\nSecure Email With Taxpayers program were not encrypting some of their emails that contained\nSBU data.\n   \xe2\x80\xa2   Nine (9 percent) of the 97 authorized employees sent a total of 20 unencrypted emails\n       containing SBU data to 9 taxpayers. An MOU was not in place for three of the\n       taxpayers, which indicates the employee was not authorized to send SBU data to these\n       taxpayers.\n       **********************************1**********************************\n       **********************************************************************\n       ***********************************************************************\n       **************************************************************.\nWe also found employees authorized to participate in the Secure Email With Taxpayers program\nwere receiving unencrypted emails that contained SBU data.\n   \xe2\x80\xa2   Thirty-five (36 percent) of the 97 authorized employees received 128 unencrypted emails\n       with SBU data from 38 taxpayers. An MOU had not been executed for 14 of these\n       taxpayers, indicating the employee was not authorized to receive SBU emails from these\n       taxpayers.\n       ********************************1*************************************\n       *********************************************************************\n       ********************************************************************\n       We did not contact the taxpayers to determine why they did not encrypt their emails or\n       sign an MOU with the IRS. However, officials in the LB&I Division and the Office of\n       Appeals informed us that some taxpayers and their representatives have been sending\n       SBU data in emails long before the Secure Email With Taxpayers program started. The\n       IRS officials also stated they were unaware of procedures requiring them to stop or report\n       taxpayers who send emails with SBU data to IRS employees.\nThese violations of the program were not reported to the LB&I Division or the Office of Appeals\nTeam Managers or Team Coordinators or to the Modernization and Information Technology\nServices organization\xe2\x80\x99s Computer Security Incident Response Center. Furthermore, none of the\n22 LB&I Division or Office of Appeals Team Managers or Team Coordinators that we\ninterviewed were aware of any reported violations of the Secure Email With Taxpayers program.\nThese IRS officials informed us they did not receive procedures requiring them to report secure\nemail violations of the type we found in our review.\nOther IRS officials in the National Headquarters Office informed us that the IRS is not\nresponsible for reporting or stopping taxpayers from sending unencrypted SBU data in emails.\nThey believe the IRS is responsible only after receiving the data, and that taxpayers are fully\naware of the risks because, while not explicit in the MOU, the risks are discussed with each\ntaxpayer prior to signing the MOU. However, we disagree with this rationale. If taxpayers\xe2\x80\x99\n\n                                                                                           Page 6\n\x0c                                     Additional Security Is Needed\n                               for the Taxpayer Secure Email Program\n\n\n\nsensitive data are lost or stolen as a result of the Secure Email With Taxpayers program, we\nbelieve the brunt of the criticism and negative publicity would be directed at the IRS. Second,\nand more importantly, of the above 38 taxpayers that sent unencrypted email to IRS employees,\n8 (21 percent) were not the actual taxpayer; they were the taxpayers\xe2\x80\x99 representative such as a\nPower of Attorney or Public Accountant. In these instances, the taxpayers are most likely\nunaware their sensitive data were transmitted insecurely. The IRS should take all reasonable\nactions to ensure the taxpayers\xe2\x80\x99 data are protected, including responding to an unencrypted email\nwith SBU data reminding the taxpayer to encrypt the email and requesting that taxpayers who\nreceive unencrypted emails with SBU data from IRS employees report this violation to a\ndesignated IRS official. These actions would provide accountability for program compliance\nand ensure the security of the program is maintained.\nThe IRS\xe2\x80\x99s internal procedures, guides, and training briefings do not provide adequate guidance\nor instructions to employees to report violations of unencrypted emails with SBU data from\nemployees or taxpayers. We found the procedures require employees to report inadvertent\ndisclosures of sensitive information to the Computer Security Incident Response Center using\nthat office\xe2\x80\x99s online Security Incident Reporting form. However, the form instructs employees to\nreport emails sent to the wrong party. None of the above email violations that we found were\nsent to the wrong party. Furthermore, the Security Incident Reporting form instructs employees\nto use the Wage and Investment Division\xe2\x80\x99s Erroneous Taxpayer Correspondence Reporting form\nto report emails sent to the wrong party, as does the Office of Privacy, Information Protection\nand Data Security web site. The Erroneous Taxpayer Correspondence Reporting form does not\ninclude a category for unencrypted emails with SBU data sent to or received from taxpayers.\nWe also found the LB&I Division\xe2\x80\x99s Secure Communications With Taxpayers guide and Office\nof Appeals Secure Email Messaging training presentation lack specific procedures for employees\nto report violations of the Secure Email With Taxpayers\nprogram. Lastly, the IRS\xe2\x80\x99s two mandatory annual\nbriefings on information security are required for all       Although we did not find evidence\nemployees and are prepared by the Office of Privacy,            of unencrypted emails being\n                                                              intercepted or instances where\nInformation Protection and Data Security and by the            emails were sent to the wrong\nOffice of Cybersecurity. However, the Information            recipient, the risk of unauthorized\nProtection and Disclosure briefing prepared by the Office       disclosure is increased when\nof Privacy provides general guidance and penalties for        employees do not report secure\nfailing to protect sensitive data, but this briefing and the    email violations or adhere to\n                                                                   the MOU requirements.\nOffice of Cybersecurity\xe2\x80\x99s Information System Security\nbriefing do not include procedures for reporting violations\nof the Secure Email With Taxpayers program.\nWe did not find evidence of unencrypted emails being intercepted by unauthorized individuals,\nnor were our tests designed to uncover this type of illegal activity. However, the risks to\ntaxpayers\xe2\x80\x99 sensitive data are increased when employees do not report secure email violations and\n\n                                                                                          Page 7\n\x0c                                     Additional Security Is Needed\n                               for the Taxpayer Secure Email Program\n\n\n\nIRS management does not establish and reinforce clear procedures and training on secure email\npolicies.\n\nRecommendations\nRecommendation 2: The LB&I Division and the Office of Appeals should coordinate with\nthe Office of Privacy, Information Protection and Data Security to develop and enforce\nadditional procedures for employees participating in the Secure Email With Taxpayers program.\nThe procedures should address how, when, and to whom employee and taxpayer secure email\nviolations should be reported and that appropriate actions will be taken against employees who\ndo not encrypt sensitive email messages to taxpayers.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation. The\n       LB&I Division will take the lead and coordinate with the Office of Privacy, Information\n       Protection and Data Security to ensure the IRS\xe2\x80\x99s policy on privacy and security\n       incorporates the use of secure email with taxpayers. The LB&I Division will also ensure\n       its web site is consistent with guidance set forth by the Office of Cybersecurity on secure\n       email with taxpayers. In addition, the LB&I Division and the Office of Appeals will\n       advise its employees participating in the Secure Email With Taxpayers program of their\n       responsibilities on how, when, and to whom they should report secure email violations.\n       Lastly, the Office of Appeals will update its web site to link to the appropriate IRS policy\n       on privacy and security for the Secure Email With Taxpayers program.\n       Within the IRS\xe2\x80\x99s response transmittal, the IRS stated its disciplinary procedures are\n       appropriate for addressing email violations without the need for further delineation in the\n       Secure Email procedures.\n       Office of Audit Comment: The IRS\xe2\x80\x99s disciplinary procedures state the penalty for an\n       employee who fails to maintain security for Personally Identifiable Information is\n       admonishment up to a 14-day suspension. The penalty for a second offense is a 15-day\n       suspension up to removal from the IRS. The penalty for the third offense is removal\n       from the IRS. We believe these penalties should be delineated, or at least referenced, in\n       the Secure Email procedures and would serve as a warning to employees who do not\n       comply with encrypting email messages to taxpayers.\nRecommendation 3: The LB&I Division and the Office of Appeals should update guides and\ntraining materials to include the new reporting procedures.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that the Director, Business Systems Planning, LB&I Division, will update IRS\n       training materials and guides to include all current and any new reporting procedures and\n       policies relating to the Secure Email program. In addition, the Office of Appeals will\n       update its web site to link to the approved IRS training materials and guides.\n\n                                                                                            Page 8\n\x0c                                    Additional Security Is Needed\n                              for the Taxpayer Secure Email Program\n\n\n\nRecommendation 4: The LB&I Division and the Office of Appeals should coordinate to\namend the MOU to apprise the taxpayer of the specific risks associated with transmitting\nunencrypted emails with SBU data and provide specific actions that will be taken when\ntaxpayers or their representatives do not comply with the terms of the MOU. For example, the\nIRS could potentially terminate the MOU if the taxpayer or taxpayer\xe2\x80\x99s representatives repeatedly\nfail to encrypt sensitive emails. These actions would provide accountability to taxpayers to\ncomply with the MOU.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation and\n       stated that the Director, Business Systems Planning, LB&I Division, will modify the\n       existing Secure Email With Taxpayers MOU template to make taxpayers fully aware of\n       the security risks if they choose to send unencrypted email. In addition, the LB&I\n       Division and the Office of Appeals will issue the modified MOU to all its participants in\n       the Secure Email program. Within the IRS\xe2\x80\x99s response transmittal, the IRS stated it will\n       not amend the MOU to address taxpayers\xe2\x80\x99 noncompliance with the MOU.\n       Office of Audit Comment: We disagree with the IRS\xe2\x80\x99s decision to not amend the\n       MOU to address taxpayers\xe2\x80\x99 noncompliance with the MOU. As stated in the report, many\n       taxpayers are most likely unaware their sensitive information was transmitted insecurely\n       because many of the violations we found were sent by the taxpayers\xe2\x80\x99 representatives,\n       such as a Power of Attorney or Public Accountant. The IRS should take all reasonable\n       actions to protect the taxpayers\xe2\x80\x99 sensitive data. These actions should include developing\n       procedures and penalties to address taxpayers or taxpayer representatives who do not\n       comply with the security terms of the MOU. The procedures and penalties should be\n       explicitly stated in the MOU.\nRecommendation 5: The Office of Privacy, Information Protection and Data Security should\ntake actions to update the IRS\xe2\x80\x99s official internal procedures with the additional procedures\ndeveloped by the LB&I Division and the Office of Appeals and post the procedures to its internal\nweb site.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation and stated that\n       the corrective actions have already been completed. The IRS stated that in August 2010,\n       the Office of Privacy, Information Protection and Data Security updated its internal web\n       site to reflect current IRS guidance and procedures for sending email containing\n       Personally Identifiable Information within the IRS as well as to authorized non-IRS\n       parties. The IRS also stated that its current guidance indicates the only approved process\n       for sending secure email containing Personally Identifiable Information to taxpayers or\n       their representatives is through the encryption solution utilized in the LB&I Division and\n       the Office of Appeals Secure Email pilots, and only approved pilot participants could use\n       this capability. The Office of Privacy, Information Protection and Data Security will\n       continue to monitor the Secure Email pilots and programs and will update its internal web\n       site, as appropriate, as new procedures are developed.\n\n                                                                                          Page 9\n\x0c                                    Additional Security Is Needed\n                              for the Taxpayer Secure Email Program\n\n\n\n       Office of Audit Comment: Although the IRS agreed with this recommendation, its\n       corrective actions are not sufficient to address the recommendation. As stated in the\n       report, the IRS\xe2\x80\x99s current procedures in its Internal Revenue Manual do not provide\n       adequate guidance to employees on reporting violations of unencrypted emails with SBU\n       data. The lack of a data leakage prevention system until July 2012 makes these\n       procedures more critical. The IRS\xe2\x80\x99s Internal Revenue Manual is intended to provide the\n       official procedures that employees are required to follow. These internal procedures\n       should be updated with the additional procedures we recommended in\n       Recommendation 2 above. The Internal Revenue Manual procedures should require the\n       employees to report secure email violations and address how, when, and to whom\n       employee and taxpayer secure email violations should be reported.\n       We reviewed the update to the Office of Privacy\xe2\x80\x99s web site that was completed in\n       August 2010 and found the update does not include the additional procedures that we\n       recommended the LB&I Division and the Office of Appeals develop. For example, the\n       web site does not include new procedures regarding how, when, and to whom employee\n       and taxpayer secure email violations should be reported.\nRecommendation 6: The Office of Privacy, Information Protection and Data Security should\nupdate the Annual Information Protection and Disclosure Briefing to include the new Secure\nEmail With Taxpayers procedures.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that the Office of Privacy, Information Protection and Data Security, will update\n       the Annual Information Protection and Disclosure Briefing to indicate Secure Email With\n       Taxpayers can occur only under agency/Modernization and Information Technology\n       Services approved pilots and programs.\nRecommendation 7: The Associate Chief Information Officer, Cybersecurity, should update\nthe mandatory annual Information Systems Security briefing to include or reference the new\nSecure Email With Taxpayers procedures.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Associate Chief Information Officer, Cybersecurity, will update the Information Systems\n       Security supplemental briefing to include or reference the Secure Email With Taxpayers\n       procedures. This supplemental briefing is a part of the mandatory security awareness\n       training provided to all IRS employees annually.\n\nMedium-Risk Vulnerabilities on Email Servers Are Not Timely\nCorrected\nThe Modernization and Information Technology Services organization\xe2\x80\x99s Enterprise Operations\noffice conducts monthly security assessments of its 70 email servers using the Windows Policy\n\n                                                                                       Page 10\n\x0c                                            Additional Security Is Needed\n                                      for the Taxpayer Secure Email Program\n\n\n\nChecker tool.5 The monthly assessments conducted from September 2009 through\nFebruary 2010 determined that each of the email servers failed between 73 and 79 medium-risk\nsecurity checks each month. The number of failed security checks on each server was the same\neach month, indicating the same security vulnerabilities exist on the same servers each month\nand are not being timely corrected. Examples of the vulnerabilities that were not addressed\ninclude:\n    \xe2\x80\xa2    The setting to prevent anonymous connections to the email server was not configured in\n         compliance with IRS procedures. IRS procedures require the anonymous connection\n         setting be configured to the default value \xe2\x80\x9cNull\xe2\x80\x9d to prevent the server from being\n         accessed by any network user. This weakness could lead to exposure or corruption of\n         sensitive corporate data.\n    \xe2\x80\xa2    The settings to restrict access permissions to files, directories, and registry settings on the\n         email servers were not configured to prevent unauthorized individuals from exploiting\n         the email servers.\n    \xe2\x80\xa2    The settings for passwords and audit logs were not configured to prevent or detect\n         malicious activities. The audit logs were set to overwrite, and thereby delete, critical\n         events that should be retained and reviewed in the logs. Registry settings for password\n         length and expiration were incorrectly set for local user accounts on the email servers.\nIRS policies require security weaknesses for medium-risk systems, such as the IRS\xe2\x80\x99s email\nsystem, be posted on a Plan of Actions and Milestones6 within 2 months of identification if the\nweakness cannot be fixed within 60 days. This action ensures the weaknesses receive adequate\nmanagement oversight until corrected or until mitigating controls are implemented. However,\nthe persistent medium-risk weaknesses that the IRS detected on its email servers were not posted\nto a Plan of Actions and Milestones because the IRS does not track these vulnerabilities to\nidentify recurring weaknesses from month to month.\nThe Enterprise Operations office attributed the recurring security vulnerabilities on the email\nservers to system administrators focusing on other operational support responsibilities, including\nthe daily maintenance and backup of the email system. The Enterprise Operations office also\nreported their office focused on correcting high-risk vulnerabilities, maintaining the IRS\xe2\x80\x99s\nenterprise email infrastructure, and planning the implementation of the IRS\xe2\x80\x99s new Secure\nEnterprise Messaging System. This focus diverted resources from correcting vulnerabilities\nfound on the current email servers.\n\n\n\n\n5\n An automated tool used to determine whether systems are adhering to security policies.\n6\n The purpose of a Plan of Actions and Milestones is to assist agencies in identifying, assessing, prioritizing, and\nmonitoring the progress of corrective efforts for security weaknesses found in programs and systems.\n                                                                                                             Page 11\n\x0c                                           Additional Security Is Needed\n                                     for the Taxpayer Secure Email Program\n\n\n\nRecommendation\nRecommendation 8: To ensure persistent medium-risk vulnerabilities receive management\noversight and timely corrective actions, the Associate Chief Information Officer, Enterprise\nOperations, should ensure the vulnerabilities detected on each email server during the monthly\nsecurity assessments are appropriately tracked. If persistent medium-risk vulnerabilities cannot\nbe corrected within 2 months, the Enterprise Operations office should follow IRS security\nrequirements to post the vulnerabilities to the appropriate Plan of Actions and Milestones.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and stated that\n         the Associate Chief Information Officer, Enterprise Operations, will initiate tracking and\n         correction of medium-risk vulnerabilities. A process will be implemented to ensure all\n         medium-risk vulnerabilities that cannot be corrected within 60 days and high-risk\n         vulnerabilities that cannot be corrected within 30 days of detection will be documented\n         within a Plan of Actions and Milestones.\n\nSome Unauthorized Employees Are Sending and Receiving Sensitive\nData in Emails\nAs previously stated in this report, the MOU provides the management control that only\nauthorized employees, taxpayers, and taxpayers\xe2\x80\x99 representatives are sending and receiving\nemails under the Secure Email With Taxpayers program. To ensure this control\xe2\x80\x99s effectiveness,\nboth the IRS and the taxpayer must be diligent in updating the list of authorized individuals who\nmay conduct business for both the IRS and the taxpayer. The confidentiality of sensitive data is\nmaintained when the email senders and recipients are known and authorized to send and receive\nemails.\nTo determine whether only authorized individuals are participating in the Secure Email With\nTaxpayers program, we selected a sample of 70 employees from the LB&I Division and the\nOffice of Appeals who have not been authorized to participate in the program7 and reviewed\ntheir historical emails. We found some of these employees are sending and receiving\nunencrypted emails to and from taxpayers or their representatives, most of whom are also not\nauthorized to participate in the program.\n    \xe2\x80\xa2    Seven (10 percent) of the 70 unauthorized employees in our sample sent a total of\n         21 unencrypted emails containing SBU data to 14 taxpayers. An MOU had not been\n         executed for the 14 taxpayers.\n\n\n\n\n7\n  Employees are not authorized to participate in this program if there is no signed MOU on file or if the attachment\nto the signed MOU does not list their names as participants of the program.\n                                                                                                            Page 12\n\x0c                                      Additional Security Is Needed\n                                for the Taxpayer Secure Email Program\n\n\n\n       As an example, we found one employee sent a total of eight unencrypted emails\n       containing SBU data to four different taxpayers.\n   \xe2\x80\xa2   Twenty-two (31 percent) of the 70 unauthorized employees received a total of\n       104 unencrypted emails containing SBU data from 64 taxpayers. An MOU was not in\n       place for 58 of these taxpayers.\n       As examples, *************************1*********************************\n       ************************************1*********************************\n       **********************************1*************************** Another\n       employee received a total of 19 unencrypted emails with SBU data from 5 different\n       taxpayers.\nThe employees above were not included in any MOU and violated the IRS policy that prohibits\nsending emails with SBU data unless participating in the Secure Email With Taxpayers program.\nWe believe that many of these employees knowingly disregarded the Secure Email With\nTaxpayers program and do not fully understand the risk of unnecessarily exposing the release of\ntaxpayer data. Without a systemic monitoring solution to prevent unencrypted emails from\nleaving the IRS (i.e., a data loss prevention solution cited in the previous finding), the IRS cannot\nstop these types of emails from occurring other than by relying on employee compliance.\nThe credibility and purpose of the program are undermined when non-participating employees\nsend and receive unencrypted emails from taxpayers. The number of employees and taxpayers\nsending and receiving SBU emails without signing an MOU indicates that the most significant\nmanagement control that the IRS has implemented is not effective at ensuring only authorized\nindividuals are sending SBU emails to taxpayers. When unauthorized employees send and\nreceive emails with SBU data to and from taxpayers, the risk of unauthorized disclosure of\ntaxpayer data is increased.\n\nRecommendation\nRecommendation 9: The LB&I Division and the Office of Appeals should issue a\nmemorandum to their employees reminding them of the Secure Email With Taxpayers policy\nand the actions that will be taken against unauthorized employees who violate the policy by\nsending or receiving emails with SBU data to or from taxpayers.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation. The\n       IRS stated that the LB&I Division and the Office of Appeals will issue a memorandum or\n       communication to all of their employees reminding them that only employees officially\n       participating in the Secure Email program are permitted to transmit emails with SBU data\n       to taxpayers. Within the IRS\xe2\x80\x99s response transmittal, the IRS stated that it believes any\n       appropriate actions against noncompliant employees will fall under the normal\n       disciplinary procedures.\n\n                                                                                            Page 13\n\x0c                              Additional Security Is Needed\n                        for the Taxpayer Secure Email Program\n\n\n\nOffice of Audit Comment: To ensure compliance with the Secure Email policy, we\nbelieve the IRS should provide, or at least reference, the actions that will be taken against\nunauthorized employees who transmit SBU emails to or from taxpayers. Explicitly\nstating these penalties would serve as a warning to employees who have not been\napproved to send or receive SBU data to or from taxpayers.\n\n\n\n\n                                                                                     Page 14\n\x0c                                         Additional Security Is Needed\n                                   for the Taxpayer Secure Email Program\n\n\n\n                                                                                            Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether IRS controls, policies, and\nprocedures for sensitive email messages to taxpayers adequately protected taxpayers\xe2\x80\x99 data,\nguarded against email threats to the IRS network, and ensured email practices were compliant\nwith Federal regulations. To accomplish this objective, we:\nI.      Determined whether IRS employees authorized and profiled to correspond with taxpayers\n        using encrypted email are in fact encrypting the email messages to protect SBU data.\n        A. Interviewed project leaders and managers in the LB&I Division and the Office of\n           Appeals and reviewed training guidance and local procedures to determine how the\n           Secure Email With Taxpayers program1 is administered and the level of oversight it\n           receives.\n        B. Determined whether disciplinary actions have been taken against IRS employees for\n           violating the Secure Email With Taxpayers program policies by interviewing\n           managers to determine if secure email violations have occurred and were reported and\n           if appropriate disciplinary actions were taken. We also determined whether employee\n           security awareness training includes reminders of disciplinary actions for email\n           abuse.\n        C. Determined the population of LB&I Division and Office of Appeals employees and\n           taxpayers enrolled in the secure email program since the program began.\n        D. Selected a random sample of 97 LB&I Division and Office of Appeals employees\n           who were authorized to participate in the Secure Email With Taxpayers program and\n           a random sample of 70 employees from the same offices who were not authorized.\n           We then requested a download of the employees\xe2\x80\x99 Outlook mailbox. On February 18,\n           2010, we requested that 6 months of email activity, September 2009 through\n           February 2010, be included in each mailbox for each employee. However, we did not\n           receive all the historical emails that we requested for all employees in our samples.\n           We received a disparate percentage of historical emails for 109 (60 percent) of the\n           167 employees. For the remaining 58 employees, the IRS provided the employees\xe2\x80\x99\n           current mailbox as of February 2010, which was after we initiated our audit.\n\n\n1\n The IRS refers to the Secure Email With Taxpayers program as a \xe2\x80\x9climited\xe2\x80\x9d program because only LB&I Division\nand Office of Appeals employees listed on a signed MOU are authorized to send and receive Sensitive But\nUnclassified data in emails to and from taxpayers.\n                                                                                                    Page 15\n\x0c                          Additional Security Is Needed\n                    for the Taxpayer Secure Email Program\n\n\n\nThe Modernization and Information Technology Services\xe2\x80\x99 Enterprise Operations\n(EOPS) office experienced technical challenges in retrieving and combining the\nweekly backup tapes that contained the 6 months of emails we requested for our\nsample. The EOPS office informed us at the start of the review that retrieving the\nhistorical emails would be challenging. Because of these challenges, on\nMarch 11, 2010, we reduced our scope from 6 to 3 months of historical emails, which\nreduced the number of backup tapes from 24 to 12. On April 20, 2010, we reduced\nour request again to only one backup tape for each of the previous 3 months. We also\nagreed to perform the work to combine the weekly backup tapes into one file for each\nemployee, allowing the EOPS office to concentrate on retrieving the tapes. However,\nthe EOPS office continued to report that the labor-intensive process of retrieving the\nweekly backup tapes along with other competing data requests was straining their\nresources. On May 20, 2010, the EOPS office informed us our data request was\ncausing employees to cancel scheduled time-off, work weekends, and impacting its\nother requests for data. On May 21, 2010, 88 days after our initial request, we asked\nthe EOPS office to discontinue its efforts.\nAlthough we could not evaluate all of the emails that employees sent to and received\nfrom taxpayers during the 6-month or 3-month period preceding our audit, we believe\nthe email activity the IRS provided was sufficient to determine some employees were\nnot encrypting some of their emails with SBU data.\nSampling Methodology\nWe compiled a list of all LB&I Division employees who were authorized to\nparticipate nationwide. The total population was 567 employees. To mitigate the\nIRS\xe2\x80\x99s anticipated technical challenges in retrieving the mailboxes, we selected\nparticipating employees in three LB&I Division offices, rather than a random sample\nof employees from across the Nation. We selected all 82 of the participating\nemployees in the three largest offices, which were: Dallas, Texas (30 employees);\nNew York, New York (27 employees); and Houston, Texas (25 employees). We also\nrequested the mailboxes for all 15 Appeals employees authorized to participate\nnationwide. This sampling methodology was sufficient to identify a control weakness\nand prompt management to take corrective action.\nWe also selected 55 LB&I Division employees who were not authorized to participate\nfrom the same offices. We selected 20 employees from the Dallas office, 15\nemployees from the Houston office, and 20 employees from the New York office.\nLastly, we selected 15 Office of Appeals employees, nationwide, who were not\nauthorized to send and receive SBU data in emails to taxpayers because they were not\nlisted on an MOU.\n\n\n\n                                                                              Page 16\n\x0c                                     Additional Security Is Needed\n                               for the Taxpayer Secure Email Program\n\n\n\n       E. Determined whether only authorized employees are using email to send and receive\n          SBU data to and from taxpayers in compliance with IRS policies and procedures by\n          reviewing unencrypted emails in the mailboxes.\n       F. Evaluated the encryption used by the IRS to ensure compliance with Federal\n          Information Processing Standard (FIPS Data Encryption Standard 46-3).\nII.    Determined whether the IRS is retaining email correspondence in accordance with\n       applicable Federal requirements and IRS procedures.\n       A. Reviewed the IRS email retention policy and procedures to determine whether\n          procedures include an approved recordkeeping system, electronic records are\n          retrievable, and the encryption key is stored with the emails to allow decryption.\n       B. Determined whether all offices reviewed are following the same policies and\n          procedures and using the same email recordkeeping system.\nIII.   Determined whether the IRS has implemented adequate controls to ensure the email\n       system is secure and malicious content is not delivered to IRS employees or taxpayers.\n       A. Reviewed the Secure Enterprise Messaging System Security Plan and evaluated the\n          security controls that have been implemented.\n       B. Identified all email servers that process LB&I Division and Office of Appeals emails\n          with taxpayers.\n       C. Confirmed that the IRS is regularly conducting scans and vulnerability assessments\n          on the email servers to ensure the email applications are configured securely.\n       D. Determined whether the IRS is actively scanning incoming email for malicious\n          content on the primary main servers before email is sent to the end users and is\n          actively scanning outgoing mail for sensitive information leaving the IRS network by\n          reviewing and evaluating the email policies and rules and interviewing key IRS\n          officials. We also determined how often the rules are modified and whether the\n          antivirus software is enabled and properly updated by reviewing security assessment\n          reports that are run each week and presented to IRS executives. Lastly, we evaluated\n          the process the IRS has implemented to handle \xe2\x80\x9cspam\xe2\x80\x9d and other bulk emails.\nIV.    Determined whether the IRS is timely closing email accounts of employees participating\n       in the Secure Email With Taxpayers program when the employees leave the IRS.\n       A. Determined whether the IRS has implemented a process to ensure employees\xe2\x80\x99 email\n          accounts are closed when an employee participating in the Secure Email With\n          Taxpayers program leaves the IRS by interviewing LB&I Division and Office of\n          Appeals secure email project leaders.\n\n\n                                                                                         Page 17\n\x0c                            Additional Security Is Needed\n                      for the Taxpayer Secure Email Program\n\n\n\nB. Determined whether the email accounts of participating employees, who departed the\n   IRS in the last 12 months, were properly deleted from the email system.\n\n\n\n\n                                                                              Page 18\n\x0c                                   Additional Security Is Needed\n                             for the Taxpayer Secure Email Program\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nAllen Gray, Audit Manager\nCharles Ekunwe, Senior Auditor\nGeorge Franklin, Senior Auditor\nLarry Reimer, Senior Auditor\nSuzanne Westcott, Senior Auditor\n\n\n\n\n                                                                                     Page 19\n\x0c                                    Additional Security Is Needed\n                              for the Taxpayer Secure Email Program\n\n\n\n                                                                              Appendix III\n\n                          Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Office, Enterprise Operations OS:CTO:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Large Business and International Division SE:LB\n       Chief, Office of Appeals AP\n       Director, Office of Privacy, Information Protection and Data Security OS:P\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                    Page 20\n\x0c                 Additional Security Is Needed\n           for the Taxpayer Secure Email Program\n\n\n\n                                               Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                    Page 21\n\x0c      Additional Security Is Needed\nfor the Taxpayer Secure Email Program\n\n\n\n\n                                        Page 22\n\x0c      Additional Security Is Needed\nfor the Taxpayer Secure Email Program\n\n\n\n\n                                        Page 23\n\x0c      Additional Security Is Needed\nfor the Taxpayer Secure Email Program\n\n\n\n\n                                        Page 24\n\x0c      Additional Security Is Needed\nfor the Taxpayer Secure Email Program\n\n\n\n\n                                        Page 25\n\x0c      Additional Security Is Needed\nfor the Taxpayer Secure Email Program\n\n\n\n\n                                        Page 26\n\x0c      Additional Security Is Needed\nfor the Taxpayer Secure Email Program\n\n\n\n\n                                        Page 27\n\x0c      Additional Security Is Needed\nfor the Taxpayer Secure Email Program\n\n\n\n\n                                        Page 28\n\x0c'